Implementing elliptic curve cryptosystems using Hesse curves over prime fields

advertisement

Implementing elliptic curve cryptosystems using Hesse curves over prime fields

Terje Gjøsæter, Kjetil Haslum, and Trond Stølen Gustavsen

Agder University College

Department of Information and Communication Technology

Grooseveien 36, N-4876 Grimstad, Norway

{ tgjosate,khaslum } @siving.hia.no,trond.gustavsen@hia.no

Abstract.

This paper presents results of experiments comparing elliptic curve cryptosystems using Hesse curves with systems using traditional

Weierstrass curves. Elliptic curves on Hesse form are believed to give better performance than the forms presently used in implementations.

To perform these experiments, we have implemented point operations on curves in C++. The results of the experiments show that use of Hesse curves leads to 20-30% faster implementations than Weierstrass curves.

The Hesse form makes elliptic curve cryptography even more interesting as an alternative to RSA in practical applications, and is well suited for constrained computing devices such as smart cards.

Keywords: Cryptography, public key cryptography, elliptic curve cryptography, implementation.

1 Introduction

Since Koblitz and Miller independently suggested use of elliptic curves in public key cryptography in 1985, increasingly effective implementations of elliptic curve cryptographic systems (ECC) has been developed. Today, these systems are as fast as systems based on integer factoring with same key length, see [1].

Because elliptic curve cryptosystems has the same security as RSA, but with shorter keys, they are more effective, and can often replace RSA. ECC is particularly suited for use in smart cards, cellular phones and other constrained computing devices. This has lead to an increased interest in ECC, and many important public key protocols has ECC counterparts.

Points on an elliptic curve constitute an additive abelian group, with addition as group operation.

Multiplication of a point on an elliptic curve with an integer, that is to add the point with itself several times, is the foundation for use of elliptic curves in cryptography. We use the notation

[ n ] P = P + P + · · · + P

| {z n

} where P is a point on an elliptic curve, and n is an integer. One simple and efficient algorithm for calculating [ n ] P uses a combination of point doublings

and point additions. The number of point doublings will always be equal to or higher than the number of point additions. By also using point subtractions, the number of point additions can be reduced. It is therefore most important that point doubling is fast.

All elliptic curves can be written in long Weierstrass form : y

2

+ a

1 xy + a

3 y = x

3

+ a

2 x

2

+ a

4 x + a

6

(1)

Under some conditions the equation of the elliptic curve can be simplified to short Weierstrass form :

E a,b

: y

2

= x

3

+ ax + b (2)

Under some other conditions they can be written in Hesse form :

E

D

: x

3

+ y

3

+ 1 = Dxy (3)

The choice of form influences the performance of the operations in cryptographic systems, because the different representations has different formulas for point multiplication.

Recent research indicates that curves in Hesse form has a number of properties that make them well suited for use in cryptography, not only because of increased performance, but also because it can be used to protect against some types of side channel attacks. We will focus on performance experiments comparing short Weierstrass form and Hesse form.

There are two main types of ECC implementations, over

F 2 r

, and over

F p

.

In this paper we will describe the experiments we have performed with elliptic curves on Hesse form over finite fields

K

=

F p

. A description of ECC using the

Hesse form over

F 2 r

, can be found in [2].

The rest of this paper is organized as follows. In Section 2 we review the group law for points on elliptic curves. Section 3 explains how Hesse form can be used to protect against side channel attacks. In Section 4 we describe the experiments we have performed, and present the results of these experiments.

2 The Group law

Points on an elliptic curve make an abelian group under point addition.

If P and Q are two points on an elliptic curve E , then there is a group law such that P + Q is a well defined point on E .

2.1

Projective coordinates

In projective coordinates, two points ( x

1

, y

1

, z

1

) and ( x

2

, y

2

, z

2

) (where we may assume that z

1

, z

2

= 0) are considered to be equivalent if there exists λ = 0 such that λ ( x

1

, y

1

, z

1

) = ( x

2

, y

2

, z

2

). If ( x, y, z ) represents a point in projective coordinates, the cooresponding affine representation is obtained as ( x/z, y/z ).

By using projective coordinates, it is possible to perform addition and doubling of points without division. Division over finite fields is usually much slower than multiplication, so it is usually advantageous to use projective coordinates, even if more additions and multiplications are needed than with affine

1 coordinates.

There are several kinds of projective coordinates. It is common to use Jacobian projective coordinates, see [3], for Weierstrass form, and normal projective coordinates for Hesse form.

2.2

Group law for points on Hesse curves

Implementation based on Weierstrass curves is well documented and tested, and is most commonly used in implementations of ECC today, see [4]. Recommended standard curves are Weierstrass curves. There are good guidelines and methods for choosing cryptographically strong curves. We have chosen not to go into details about use of Weierstrass form, since many good descriptions of this already exist, for example [3], [1] and [5].

Let P = ( x

1

, y

1

, z

1

) and Q = ( x

2

, y

2

, z

2

) be two different points in normal projective coordinates on an elliptic curve E

D

, P + Q , − P and [2] P can then be expressed as follows:

( P + Q ) = ( y

2

1 x

2 z

2

− y

2

2 x

1 z

1

, x

2

1 y

2 z

2

− x

2

2 y

1 z

1

, z

2

1 x

2 y

2

− z

2

2 x

1 y

1

)

− P = ( y

1

, x

1

, z

1

)

[2] P = ( y

1

( x

3

1

− z

3

1

) , x

1

( z

3

1

− y

3

1

) , z

1

( y

3

1

− x

3

1

))

(4)

(5)

(6)

A big advantage by using Hesse form is that the point operations can be performed concurrently, see [2].

Addition of two points P + Q = R where P = ( x

1

, y

1

, z

1

) , Q = ( x

2

, y

2

, z

2

) , R =

( x

3

, y

3

, z

3

) and P , Q , R ∈ E

D

(

K

) can be executed concurrently in the following way:

λ

λ s

1

4

1

= y

1 x

2

= z

1 x

2

= λ

1

λ

6

λ

2

λ

5 s

2

= x

1 y

2

= z

1 y

2

= λ

2

λ

3

λ

3

λ

6 s

3

= x

= z

1

2

= λ

5 z y

2

1

λ

4

(7) t

1 x

3

= λ

2

λ

5

= s

1

− t

1 t

2 y

3

= λ

1

λ

4

= s

2

− t

2 t

3 z

3

= λ

6

λ

3

= s

3

− t

3

The doubling formulas can be executed concurrently in a similar way, see [2].

Table 2 contains an overview of the number of basic operations needed to perform addition and doubling of points in Weierstrass form and Hesse form.

3 Side channel attacks

All point operations in Hesse form can be computed with only the formula for addition. This can to a certain degree protect against side channel attacks where

1

By the affine plane we mean the set of all tuples ( x, y ) ∈

K

2

Table 1.

Timings for operations on field elements with lengths 160 bit and 240 bit.

Operation add(c,a,b) subtract(c,a,b) negate(c,a) a.multiply by 2() a.divide by 2() multiply(c,a,b) divide(c,a,b)

Time( p

160

) Time( p

240

) Abbreviation

0 .

46 µs 0 .

51 µs A

SU 0 .

44 µs

0 .

52 µs

0 .

51 µs

0 .

57 µs

0 .

47 µs 0 .

52 µs

23 .

76 µs 28 .

34 µs

2 .

57 µs 5 .

50 µs

39 .

72 µs 63 .

08 µs

M2

I2

M invert(c,a) square(c,a) power(c,a,3)

33 .

39 µs 53 .

64 µs

2 .

33 µs 4 .

84 µs

11 .

46 µs 16 .

80 µs

SQ

I

the system is cracked with the help of side channel information (such as power, time, etc.) that can be used to calculate the number of additions and doublings that are performed in a multiplication. In some situations this can be used to find the secret integer that the point has been multiplied with.

In [6] is described how point doubling and point subtraction can be performed by swapping coordinates, and then use the formula for point addition. This technique is claimed by [6] to be at least 33% faster than other existing methods for protection against side channel attacks.

Let the point P = ( x, y, z ) be a point on a Hesse curve, then [2] P can be calculated by adding the points ( z, x, y ) and ( y, z, x ) with equation 4, see [6] page 6.

We have not used this method in our tests.

4 Implementation and experiments

We have implemented point operations on elliptic curves using C++, compiled with GCC, see [7]. We have also used the libraries Gnu MP, see [8], and LiDIA, see [9]. All results in this section are averages from 100 tests (with randomly chosen points).

We have timed the execution of some operations on elements of finite fields from LiDIA, the results from these tests are shown in Table 1. This is the foundation for considerations about time consumption of the formulas for addition and doubling.

The test of basic field operations are performed over the same finite field as the point operations, so the results from the different tests are comparable.

p

160

The tests are performed over two different finite fields

F p where p is a prime of length 160 bit, and another prime p

240 of length 240 bit, these are realistic sizes for use in cryptography.

Table 2.

Basic operations in addition and doubling on an elliptic curve over a finite field. (Abbreviations as in Table 1.)

Op.

Dbl.

Basic operations

LiDIA affine 2 · M + SQ + I + 6 · SU

LiDIA proj. 12 · M + 4 · SQ + A + 7 · SU + 2 · M 2 + I 2

Add.

Weierstrass 12 · M + 4 · SQ + 2 · A + 5 · SU + 6 · M 2

Hesse 12 · M + 3 · SU

LiDIA proj.

8 · M + 3 · SQ + A + 7 · SU + M 2 + I 2

Add. mix. Weierstrass

Hesse

8 · M + 3 · SQ + A + 5 · SU

10 · M + 3 · SU

+ 7 · M 2

LiDIA affine 3 · M + 2 · SQ + I + A + 3 · SU + 2 · M 2

LiDIA proj.

4 · M + 6 · SQ + 4 · A + 3 · SU + 6 · M 2

Weierstrass 4 · M + 6 · SQ + 4 · A + 3 · SU + 6 · M 2

Hesse 6 · M + 3 · SQ + 3 · SU

We have found two curves which we use in the tests. The first curve is specified by the following data: p

160

=1224753567915253525600877180059052116597297173971

D =155084242162794225825732878535100753203309440242 a =180890127234310861440619063553097796467445303876 b =638723106561030470678231670371932421650351389855

The Hesse form is given by the specified D , and the corresponding 2 curve is given by a and b . The second curve is given similarly by:

Weierstrass p

240

=1692071621110286699141341896411670096195987131713624502236260775181406103

D =702497238573896875692799960114136297227310413820769850347558251120978749 a =431643474101790531809507705073497143389255228180223876860393494532849250 b =993890749750054797374570702618347228585971779775823602477561598691887183 .

The order (number of points) of the curves are

# E (

K

) = 3 · 408251189305084508533625839539957518966956101071 and

# E (

K

) = 3 · 564023873703428899713780632137223365818270640175008070683797831988112711 respectively. For both curves the order # E (

K

) is a prime number multiplied by three. Note that the order of a Hesse curve is always divisible by three.

Table 2 shows the number of basic field operation used in point operations.

LiDIA affine and LiDIA proj.

refers to the implementation provided by LiDIA.

Weierstrass and Hesse refers to our implementation.

LiDIA proj.

and Weierstrass are both implementations of point operations using Jacobian projective coordinates, but we have done some improvements in

2

The Hesse curve and the Weierstrass curve are birationally equivalent.

Table 3.

Timings for addition and doubling on the elliptic curve over the finite fields with characteristics p

160 and p

240

Op.

160 bit 240 bit

Measured Estimated Measured Estimated

LiDIA affine 83 .

91 µs 43 .

5 µs 114 .

37 µs 72 .

54 µs

LiDIA proj. 91 .

88 µs 68 .

4 µs 143 .

02 µs 118 .

2 µs

Add.

Weierstrass 52 .

32 µs 46 .

1 µs 98 .

71 µs 92 .

05 µs

Hesse 36 .

31 µs 32 .

16 µs 72 .

27 µs 67 .

53 µs

LiDIA proj. 79 .

07 µs 55 .

32 µs 116 .

24 µs 91 .

46 µs

Add. mix. Weierstrass 38 .

55 µs 33 .

50 µs 70 .

78 µs 64 .

18 µs

Hesse 31 .

58 µs 27 .

02 µs 61 .

58 µs 56 .

53 µs

LiDIA affine 73 .

36 µs 48 .

48 µs 105 .

31 µs 82 .

90 µs

LiDIA proj. 55 .

26 µs 30 .

24 µs 83 .

34 µs 57 .

73 µs

Dbl.

Weierstrass 37 .

18 µs 30 .

24 µs 65 .

08 µs 57 .

73 µs

Hesse 26 .

1 µs 23 .

73 µs 51 .

75 µs 47 .

97 µs our implementation, one of the changes is to substitute one divide by 2() by 5 multiply by 2() , this has lead to increased performance.

If the z -coordinate of one of the points equals 1, the formula for addition can be simplified, this is called mixed coordinates. If the point to be multiplied is known in advance, all the doublings can be precalculated, and the points resulting from these precalculations can be normalized with z = 1. We have implemented this, and refer to it as add. mix.

in the tables 2 and 3.

Table 3 shows the results from the experiments with point operations.

The estimated timings shown in Table 3 are based on the timings of the basic operations in Table 1. They can be considered as a lower bound, because we have only taken into account the field operations in the point operations, since they are the most time-consuming operations.

Table 3 shows a bigger difference between measured and estimated timings for LiDIA’s point operations. We think there are three main reasons for this;

LiDIA’s operations contain local variable declarations in the point operation functions, more tests are performed, and they use function pointers to make the functions more general.

4.1

Point multiplication

Point multiplication can be performed by repeated doublings and additions, one doubling is needed for every bit in the representation of the number the point is to be multiplied with. If one uses subtraction in addition to doubling and addition, multiplication can be speeded up by using so called SD2 (Signed Digit base 2) representation. In SD2 representation, the number to be multiplied is represented by { -1,0,1 } instead of only 0 and 1, such that the number of zeros is minimized. This leads to a reduced number of additions. SD2 is the algorithm used in our implementation of point multiplication.

Table 4.

Timings for point multiplication on the elliptic curve over the finite field with characteristic p

160

, and p

240

Multiplication

LiDIA affine

LiDIA Jacobian

160 bit 240 bit

Measured Estimated Measured Estimated

16 .

35 ms 16 .

14 ms 34 .

81 ms 34 .

32 ms

14 .

58 ms 13 .

69 ms 32 .

14 ms 31 .

44 ms

Weierstrass Jacobian 8 .

91 ms 8 .

70 ms 23 .

72 ms 23 .

40 ms

Hesse 6 .

24 ms 6 .

09 ms 18 .

39 ms 18 .

17 ms

The important operation during encryption and decryption is point multiplication, [ k ] P . In this calculation, k is often a random value of the same size as the order of the curve. In our tests, we have chosen k to be a random value between

0 and the number of points on the curve. The results are given in Table 4.

Our implementations of the two forms show that Hesse form is 30% faster than short Weierstrass form for 160 bit and 20% better for 240 bit. We belive that our results clearly indicate that cryptosystems using Hesse curves perform better than systems using Weierstrass curves.

The main reason for the decrease in the difference in execution time for

240 bit compared to 160 bit, is that the execution time for multiplication of elements in a finite field increases much faster than the other basic operations.

Therefore the difference in number of multiplications becomes most important for the result.

Note that we in all our estimates count all basic field operations, and not only multiplications (and squarings) as commonly seen in the litterature. For 160 bit, an estimate based only on a count of multiplications (and squarings) would (see

Table 2) in fact predict a smaller preformance gain (about 15%), compared to our results and estimates (about 30%).

5 Conclusion

Our experiments indicate that cryptosystems using Hesse curves perform better than systems using Weierstrass curves. Moreover, the performance gain is bigger than one would expect from a count of field multiplications as commonly seen in the literature. This is because the formulas for point operations for Hesse form are simpler than those for short Weierstrass form.

Based on this, we conclude that elliptic curve cryptosystems using the Hesse form should be considered as an interesting alternative, especially in constrained computing devices such as smart cards.

Finally we believe that our results show that the Hesse form can make elliptic curve cryptography even more interesting as an alternative to RSA in practical applications.

References

1. M. Rosing, Implementing Elliptic Curve Cryptography .

Manning, 1999.

2. N. P. Smart, “The Hessian form of an elliptic curve,” in CHES 2001 , Koc, Naccache, and Paar, Eds.

Springer-Verlag LNCS 2162, May 2001, pp. 118–125.

3. Blake, Seroussi, and Smart, Elliptic Curves in Cryptography . Cambridge university press, 1999.

4.

IEEE 1363-2000: Standard Specifications for Public Key Cryptography , IEEE Std.

[Online]. Available: http://grouper.ieee.org/groups/1363/

5. A. Miyaji, T. Ono, and H. Cohen, “Efficient elliptic curve exponentiaion,” in Advances in Cryptology-Proceedings of ICICS’97 .

Springer-Verlag LNCS 1334, 1997, pp. 282–290.

6. M. Joye and J.-J. Quisquater, “Hessian elliptic curves and side-channel attacks,” in

CHES 2001 .

Springer-Verlag LNCS 2162, 2001, pp. 402–410.

7. GCC home page. [Online]. Available: http://gcc.gnu.org/

8. The Gnu MP home page. [Online]. Available: http://www.swox.com/gmp/

9. LiDIA-Group. (2001) LiDIA - A library for computational number theory. [Online].

Available: http://www.informatik.tu-darmstadt.de/TI/LiDIA/

Download